Just to add my $0.02 here because it can be difficult to hold the line in situations like this… Even though it’s uncomfortable for us to have auto-updates enabled without an off switch, I believe it’s the right way to go, for servers and embedded devices in particular, or anything headless - it’s the only way we’ll keep them secure over time.
One additional concern, that might not have been covered explicitly above - is around data usage on cellular connections. Many connected devices are on cellular plans with 100MB/mth data allocation.
Having some way to opt out of a very frequent release cadence (especially for large snaps) would be important for these devices.
Maybe a new ‘critical’ track that developers would only release to if a serious issue was identified? e.g. to prevent DDoS